On 4/15/2010 2:57 PM, Mossman, Paul (Paul) wrote:
> Hi all,
>
> Regarding XX-6764 [1], I have an objection to this feature as described:
>
> "On the login screen there shall be a link that allows recovering the
> password. Upon activation sipXconfig generates a new password for the User ID
> entered, stores that new password in the system, and sends an email to the
> email address registered for the user that includes the new password."
>
> This would allow anyone with IP access to invalidate the current PIN of any
> known user. That could be very disruptive.
>
> The "Forgot PIN" link should instead email the User a "secret" link, which
> can then be used to set a new PIN. That would make it considerably more
> difficult for a malicious person to erase a User's PIN.
>
> I also think this functionality should not be available for any User with
> Administration permission, and/or no defined email address.
>
> Thoughts?
>
>
> -Paul
> [email protected]
>
>
> [1] http://track.sipfoundry.org/browse/XX-6764 Provide password recovery
> mechanism
>
> _______________________________________________
> sipx-dev mailing list [email protected]
> List Archive: http://list.sipfoundry.org/archive/sipx-dev
> Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-dev
> sipXecs IP PBX -- http://www.sipfoundry.org/
>
+! I like that Paul as that is how many web applications work.
_______________________________________________
sipx-dev mailing list [email protected]
List Archive: http://list.sipfoundry.org/archive/sipx-dev
Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-dev
sipXecs IP PBX -- http://www.sipfoundry.org/
